Attempting to achieve a higher click-through rate for their exploits and malware serving malicious campaign, cybercriminals are currently spamvertising millions of emails attempting to trick users into thinking they’ve become part of a private conversation about missing EPLI policies.

In reality, clicking on any of the links in the oddly formulated email will expose them to the client-side exploits served by the latest version of the Black Hole Exploit Kit.

The following malicious domains also respond to these IPs:canadianpanakota.rulemonadiom.rupeneloipin.ruveneziolo.ruforumibiza.rucontrolleramo.rumoneymakergrow.rufionadix.rulinkrdin.rugeforceexlusive.ru

We also know is that on 2012-11-12 10:58:07, the following client-side exploits serving domain was also responding to the same IP (202.180.221.186) – hxxp://canadianpanakota.ru:8080/forum/links/column.php. Upon successful client-side exploitation, this URL dropped MD5: 532bdd2565cae7b84cb26e4cf02f42a0 – detected by 33 out of 44 antivirus scanners as Worm:Win32/Cridex.E.

We’re also aware of two more client-side exploits serving domains responding to the same IP (202.180.221.186) on 2012-11-15 19:49:33 – hxxp://investomanio.ru/forum/links/public_version.php, and on the 2012-11-15 04:40:06 – hxxp://veneziolo.ru/forum/links/column.php.

[…] already seen the same domain used in another malicious attack – ”‘Copies of Missing EPLI Policies’ themed emails lead to Black Hole Exploit Kit“, indicating that they’ve been both launched by the same […]